the virtual system to which this password applies.
, then enter
it again to
SSL/TLS Service Profile
SSL/TLS service profiles specify
the certificate that the firewall presents to the user if the site
with the override is an HTTPS site.
user for the password:
prompt appears to originate from the original destination URL. The
firewall intercepts the browser traffic destined for sites in a
URL category set to override and issues an HTTP 302 to prompt for
the password, which applies on a per-vsys level.
client browser will display certificate errors if it does not trust
password prompt appears from an
address or DNS hostname) that you specify. The firewall intercepts
HTTP or HTTPS traffic to a URL category set to override and uses
an HTTP 302 redirect to send the request to a Layer 3 interface
on the firewall.
) Set the duration of override access
and password lockouts.
By default, users can access websites in categories for
which they have successfully entered an override password for 15
minutes. After the default or custom interval passes, users must
re-enter the password.
By default, users are blocked for 30
minutes after three failed password attempts. After the user is
locked out for the default or custom duration, they can try to access the
Edit the URL Filtering section.
URL Admin Override Timeout
a value (in minutes) from 1 to 86,400. ---By default, users can
access sites within the category for 15 minutes without re-entering
URL Admin Lockout Timeout
a value (in minutes) from 1 to 86,400.
Redirect mode only
) Create a Layer 3 interface
to which to redirect web requests to sites in a category configured
Create a management profile to enable the
interface to display the URL Filtering Continue and Override Page
for the profile, select
, and then click
Create the Layer 3 interface. Be sure to attach the
management profile you just created (on the
tab of the Ethernet
Redirect mode only
) To transparently redirect
users without displaying certificate errors, install a certificate
that matches the IP address of the interface to which you are redirecting
web requests to a site in a URL category configured for override.You
can either generate a self-signed certificate or import a certificate
that is signed by an external CA.
To use a self-signed certificate, you must first create
a root CA certificate and then use that CA to sign the certificate
you will use for URL admin override as follows:
To create a root CA certificate, select
. Enter a
such as RootCA. Do not select a value in the
(this is what indicates that it is self-signed). Make sure you select
check box and then
To create the certificate to use for URL admin override,
. Enter a
enter the DNS hostname or IP address of the interface as the
. In the
select the CA you created in the previous step. Add an IP address
attribute and specify the IP address of the Layer 3 interface
to which you will be redirecting web requests to URL categories
that have the override action.
To configure clients to trust the certificate, select
the CA certificate on the
. You must then import the
certificate as a trusted root CA into all client browsers, either
by manually configuring the browser or by adding the certificate
to the trusted roots in an Active Directory Group Policy Object
Specify which URL categories require an override password
to enable access.
and either select
an existing URL Filtering profile or
the Action to
for each category
that requires a password.
Complete any remaining sections on the URL Filtering
profile and then click
to save the profile.
Apply the URL Filtering profile to the Security policy
rule(s) that allows access to the sites requiring password override
and select the appropriate
Security policy to modify it.